Is there a patch available for CVE-2026-34478?

Yes, a patch is available for CVE-2026-34478. Update the affected software to the latest version immediately.

Apache CVE-2026-34478

Q: What is the CVSS score of CVE-2026-34478?

CVE-2026-34478 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-21408 MEDIUM

Incorrect Provision of Specified Functionality (CWE-684)

2026-04-10 apache

GHSA-445c-vh5m-36rj

Apache Code Injection

6.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 10, 2026 - 16:00 euvd

EUVD-2026-21408

Analysis Generated

Apr 10, 2026 - 16:00 vuln.today

Patch released

Apr 10, 2026 - 16:00 nvd

Patch available

CVE Published

Apr 10, 2026 - 15:40 nvd

MEDIUM 6.9

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

238 maven packages depend on org.apache.logging.log4j:log4j-core (107 direct, 131 indirect)

Ecosystem-wide dependent count for version 2.21.0.

DescriptionNVD

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.

Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:

The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.

Users of the SyslogAppender are not affected, as its configuration attributes were not modified.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

AnalysisAI

Apache Log4j Core 2.21.0 through 2.25.3 allows remote log injection via CRLF sequences in Rfc5424Layout due to undocumented renaming of security-relevant configuration attributes (newLineEscape and useTlsMessageFormat). Attackers can inject malicious log entries or downgrade TLS-framed syslog to unframed TCP, compromising log integrity for stream-based syslog services. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory